On Mon, 23 Nov 2020 22:31:32 +0000 belgin <[email protected]> wrote:
> Hello! Hi again, I've reviewed part of the patchset already, and for the parts that looked good I pushed them already. Here's my status on it so far: [ OK ] packages/apps/PhoneCommon: [ OK ] -> bdac5aa5af2de5aca946f9bc0caf58b5b38935a6 [ OK ] |-> Tag LineageOS mirror [ OK ] |-> Tag Replicant [ OK ] => Manifest [ OK ] packages/apps/Dialer: [ OK ] -> a245d5701b0452145b2a813464fa2f1fec74fddd [ OK ] |-> Tag Replicant [ OK ] |-> Rebase last commit on top [ NA ] => Manifest [ ] packages/apps/Messaging: [ OK ] Fork in Replicant [ ] -> 0dabdec1f6f6f90b6a0cd45646bdbf5fa79cde74 [ ] |-> Tag LineageOS mirror [ ] |-> Tag Replicant [ ] - Subject: [Replicant] [PATCH 1/9] Revert "Save messages to SIM feature" [ ] => Manifest [ ] packages/apps/Contacts: [ OK ] Fork in Replicant [ ] -> 1e2ad0157e708d06728ef575aa556c1e0455d278 [ ] |-> Tag LineageOS mirror [ ] |-> Tag Replicant [ ] => Manifest [ ] packages/apps/ContactsCommon: [ OK ] Fork in Replicant [ ] -> 463be6a1088c8a3259d618ac67884a74ae8c2d8a [ ] |-> Tag LineageOS mirror [ ] |-> Tag Replicant [ ] => Manifest [ OK ] vendor/replicant: [ OK ] - Subject: [Replicant] [PATCH] Remove ambientsdk [ NA ] => Manifest [ OK ] packages/apps/InCallUI: [ OK ] -> d69ce6c2a65c3d451dfb5837678221e56fef1880 [ OK ] |-> Tag LineageOS mirror [ OK ] |-> Tag Replicant [ OK ] - Subject: [Replicant] [PATCH] Fix building after removing ambientsdk [ OK ] |-> Re-apply on top of tag [ OK ] => Manifest [ OK ] vendor/cmsdk: [ OK ] - Subject: [Replicant] [PATCH] Remove analytics support [ NA ] => Manifest [ OK ] packages/apps/SetupWizard: [ OK ] - Subject: [Replicant] [PATCH] Remove analytics support [ NA ] => Manifest [ OK ] packages/apps/Settings: [ OK ] - Subject: [Replicant] [PATCH] Remove analytics support [ NA ] => Manifest [ OK ] packages/apps/Trebuchet: [ OK ] - Subject: [Replicant] [PATCH 1/4] Revert "IconCache: Simplify application of custom titles from STK" [ OK ] => Manifest So I still have some patches and git hash to reviews. I also found an issue with the following: > packages/apps/Messaging -> 0dabdec1f6f6f90b6a0cd45646bdbf5fa79cde74 The issue with packages/apps/Messaging is that we have 3 CVE if we revert to 0dabdec1f6f6f90b6a0cd45646bdbf5fa79cde74: > $ git log \ > 0dabdec1f6f6f90b6a0cd45646bdbf5fa79cde74..replicant-6.0-0004-rc3 | \ > grep -i CVE > CVE-2017-0780 > CVE-2017-0494 > CVE-2017-0476 The Manifest.xml has that: > package="com.android.messaging" So this looks like the default SMS application. A solution would be to replace it by something else. Silence could be a good candidate. Here are the advantages of shipping Silence: - It would also make encrypted SMS easier to use as you need to make silence the default SMS application in order to properly decrypt the messages you received. - The lower level of recovering Silence data or moving it is already documented in Replicant wiki a bit. - It doesn't force users to use encryption at all. The disadvantages is that you can miss the ability to decrypt an SMS if it arrives when silence is not the default application. I don't know the reason of that though. I'm also not aware of other implementations of that protocol, so the risk here is that if people starts using the encryption, they might end up being dependent on an application that only runs on 1 OS (Android). Given that GNU/Linux starts gaining traction again on smartphones that could be an issue but I guess it's probably worth the tradeoff. And shipping an applications with known CVEs is probably worse than the potential downsides here. Denis.
pgppCXshwqwZ6.pgp
Description: OpenPGP digital signature
_______________________________________________ Replicant mailing list [email protected] https://lists.osuosl.org/mailman/listinfo/replicant
